Thanks David - all the updates have been made to the latest draft. I will wait until the current review period ends and then re-publish, along with any other comments or feedback we may receive.
Cheers Pieter On Wed, Dec 10, 2025 at 8:43 PM David Mandelberg <[email protected]> wrote: > > Op 2025-12-08 om 09:58 schreef Pieter Kasselman: > > The text already addresses the "neighbouring country" problem with IP > > addresses, so I'll leave that as is. > > I think places like Svalbard and Antarctica are different from > neighboring countries, because they can have countries that don't share > any border operating in the same place. I have no idea how that impacts > IP geolocation though, and I don't think either place has a large > population, so it might not be worth worrying about. > > Thinking about it more, this feels like something that's probably out of > scope for this document, but maybe should be handled elsewhere by > something that lists as many limitations of IP geolocation as possible. > > > Regarding the whiteboard example, in theory access could be limited to > > displaying files, but displaying files also requires access to them and > > assumes a level of fine-grained access control that is not typically > > implemented. Access is often granted at the directory or repository > > level (or repositories), not on a per-file basis. The degree of access > > is dictated by the Acccess Token and and it is not unheard of that the > > token obtained from such a flow would give much broader access than just > > allowing files to be displayed (overprivileged tokens are often used in > > lateral moves for example). Consequently relying on the scope of access > > as a mitigation to allow for the use of Device Authorization Grant is > > problematic. > > > > In terms of protocols, both CIBA and Device Authorization grant are > > exploitable in the context of cross-device flows. Of the two, Device > > Authorization Grant has proven to be more easily and commonly exploited. > > > > The attack you describe in the context of CIBA is possible, but it is > > much more specific and narrowly scoped compared to all the attacks that > > become posssible if a system use Device Authorization Grant instead. > > Device Authorization Grant opens up different and more commonly > > exploited attacks. > > > > In general CIBA is harder to exploit than Device Authorization Grant. In > > the context of the attack you describe, it raises the bar for the > > attacker regarding timing and the scale of execution (targeting one vs > > targeting millions simultaneously) compared to the attacks against the > > Device Authorization Grant. Sometimes the best we can do is to raise the > > bar and choose the options that are harder to exploit. I have come to > > think of these trade-offs as "lesser of evils" exercises... FIDO with > > WebAuthn is your safest bet if you need cross-device authentication and > > authorization. > > Makes sense. I think CIBA's security could be improved by showing the > same code on both devices and telling the user to compare them, but > maybe all the use cases that would benefit from that should just use > FIDO instead. _______________________________________________ OAuth mailing list -- [email protected] To unsubscribe send an email to [email protected]
